[Webkit-unassigned] [Bug 156625] New: Deprecate/remove support for X-Frame-Options in `<meta>`

Fri Apr 15 06:26:18 PDT 2016

https://bugs.webkit.org/show_bug.cgi?id=156625

            Bug ID: 156625
           Summary: Deprecate/remove support for X-Frame-Options in
                    `<meta>`
    Classification: Unclassified
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: WebCore Misc.
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: mkwst at chromium.org

Firefox and Edge follow the RFC's suggestion (https://tools.ietf.org/html/rfc7034#section-4) to ignore the 'X-Frame-Options' header when delivered as `<meta http-equiv="...">` (and have done so from their initial implementations).

Blink has just removed this functionality (https://crbug.com/603002). The risks were outlined in https://groups.google.com/a/chromium.org/forum/#!topic/blink-dev/R1gkjKZI0J8, and seem minimal (~150 domains use the feature, period).

Perhaps WebKit could consider removing support as well?

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20160415/292c4283/attachment-0001.html>